I continue working my way through the ISO 27001 Standard Document.  When I look at Appendix A, it appears I may be about to make a breakthrough in terms of understanding.  The title is Controls and Objectives.  For this first time this looks like a list of practical things one has to do to comply with the ISO 27001 Information Security standard.

For example, at A.5.1.1 is declares “An information security  policy document shall be approved by management, and published and communicated to all employees and relevant external parties.”  What this practically means is that at minimum I need find a model Information Security policy, insert my company’s name, sign it and stick it  up on the company website and wahey - route one compliance with A5.1.1!  To do things properly, I will have to tailor the policy to the specific requirements of a secure data erasure company.    I am starting to understand what is practically being asked for by ISO 27001 the information security standard.

The next four controls up to A6.1.3 aren’t as easy  A5.1.1. but they could be met with a bit of thought and paperwork.  I turn the page and there are more controls.

A6.1.4 I says I need an authorization process for new information processing facilities.  I get this but how do it in a small organisation?  Does this mean mandatory testing process for any new bit of kit or software?  Would my company  have the resources for that?  Maybe it would just apply to secure data erasure software or hard drive destruction equipment.

A6.1.5 talks about the need to have Confidentiality Agreements or NDAs in place which is fair enough and clearly understood.

A6.1.6   and A6.1.7 require the maintenance of contacts with authorities and special interest groups in security forums or specialist associations.  I don’t know what this means in practice though.  What kind of authorities are they talking about?  Does this means government, police or what?  Is one meant to have meetings with them?  I am also not part of any security related professional associations- and, if I was going to be, which ones should I try and be an member of?  And again what does “maintain contact” mean exactly?

Having recently been spurred on by the appearance of my “Control of Documents and Records” friends I am now getting bogged down again.  I wonder what lies in the pages ahead.  So turn over and see more controls. I turn again and there are more.  And again - more.  I gulp - it feels like I am desperately reaching for air in the face of a massive wave of controls which is about to overwhelm me.

I turn the page 5 more times before I get to the end of the list of ISO 27001 Controls and Objectives - I am just looking at the page numbers now - closer focus is detrimental to my well-being.  The wave is right on top of me - what do I do to escape?

I had an automated email from Alan Calder the author of the IT Governance Toolkit today. Alan tells me that I get five times more content in the full version. Well that’s shrunk by half from a couple of days ago. “Maybe he’ll reduce his prices accordingly,” I think fleetingly. Then I realize the follow up email adds some value but he’s really just stoking up the pressure so that I buy the Toolkit.

Chapter 4 of A Manager’s Guide to Data Security and ISO27001/ISO2700 is about the organisation of information security. I am beginning to see the value in this book. Mr Calder does a thorough job in explaining the various individuals and committee or groups who will have responsibilities for the implementation of an ISMS in a large organisation. He explains what their roles should be and the competences required. Also buried in the text are some references or web links for further information. For example, he mentions the 3 magazines he believes to be the most useful magazines to read: SC Magazine, Infosecurity Today and Information Security. This is really, really useful up to date information.

The difficulty for me is that most of this information is not relevant to me. I am not running a large corporate but a business which will only have a handful of employees to start. I still need to know what practically I have to do to to get this certification or whether it just isn’t going to be possible.

The title of chapter 6 is more promising. Its about two things I don’t have much experience of – Risk Assessment and Statement of Applicability.

There are a few sentences that spring out from the page. These include: “for every control that the organisation might implement, the calculation would be that the cost of implementation would be outweighed, preferably significantly, by the economic benefits that derive from, or economic losses that are avoided as a result of, its implementation”. In other words there is a clear indication of a “reasonableness” judgement here. In that case a small organisation might be excused from certain requirements on account of its size. I have been told that ISOs can apply to any organisation. However, I am not sure if there are actually minimum technical or staffing requirements which must be met and, if so, what are they?

Mr Calder then goes on about Quantative Risk Analysis and its Elements. I switch off again – if only he’d give an example of one he did before (like Blue Peter) then I’d grasp it so much more quickly than I would reading the theory behind the process and a description of it with no example to hand.

Key sentence number two: “Controls are countermeasures to risks.” Great, nice, concise …. but it doesn’t stay simple for long. Controls can either be directive, preventative, detective, corrective or recovery controls.

Key sentence number 3 “the Standard.. requires the organisation to select appropriate control objective sand controls …it clearly invites organisation to do this exhaustively..” The word “invite” normally has an enjoyable indirect object I think to myself eg a party. It doesn’t here.

Based on notes from my diary from May 2008.

I resolve to “read” Mr Calder’s book which I ordered from Amazon from “cover to cover” – or at least to peruse the whole thing so I know what it contains.

On the face of it, from a cursory glance it looks okay.  It written by a Briton with a UK audience in mind, its only just been published and, best of all, the typeface is nice and big so its 300 pages shouldn’t take forever to digest!

The book’s got 28 chapters. Seemingly chapters 5 to 26 are about different areas of security eg.  Human Resource Security and the physical protection of your site and offices amongst other things.  I am keen to get into chapters 5 onwards as I hope these will tell me what practically I need to do to comply with the ISO 27001 Standard.

Chapter 1 explains what Information Security is.  This is a well written introduction for somebody with a business brain who really didn’t know.   It explains the reasons why information security is becoming increasingly important.  Chapter 2 explains how various pieces of predominantly US and UK legislation have converged and morphed into a compliance model.  Sarbanes Oxley is included in this.

Chapter 3 is about the ISO 27001 standard itself – I groan on p39 when Plan Do Check Act makes a reappearance.

Suddenly, I find a nice clear list on page 40.   There are six steps to planning for ISO 27001:

1. Define the scope of the management system
2. Define the policy
3. Find a risk assessment method
4. Carry out the risk assessment
5. Decide how these risks are going to be countered or mitigated
6. Prepare a Statement of Applicability – whatever that is.

Then Alan Calder talks about what we actually have to do:

There is more useful stuff on page 43 with a list of required documentation.  Some of this is readily understandable in that it says the information security policy and the scope of the management system must be defined.  These are short documents and you need only one of each of them.  I have learnt from my Supply London Courses that the Policy is a Statement of Organisation’s intent to continually improve its information security.  The Scope is that area of your organisation to which the management system applies.  Eg the customer service department, the whole company or its Scottish operations.

Things get more confusing again further down the list of required documents.  One needs documented procedures which implement specific controls.

Buried in this paragraph is an explanation that a Work Instruction is an “even more detailed description of how to perform a specific task” than a procedure.  So I was basically correct when I thought these two amounted to the same thing.  Perhaps all this is very confusing but I am getting an accurate grasp after all.  I find this reassuring and move on to Chaper 4!

Based on entries in my diary from May 2008.

I continue my inspection of Alan Calder’s sample ISO 27001 Toolkit.

Next I focus on “Procedures”.   I am hoping this is the area in which things might become clearer.  I think I have some advance understanding of what to expect here.   I have got a draft staff manual from my solicitor and it tells employees what they can and can’t do with regards to email, internet access and other things.  Eg. You can’t visit certain websites from work computers or use work email for private purposes.

The example procedures provided by Alan Calder here state over and over again that “The organisation requires……”  For example, the organisation requires that users of notebook computers carry with them at all times the charges and spare batteries specified in the user agreement.”  This is good advice and I suppose one has to write it down so that it will be followed and nobody can say that they didn’t know about the rule.

I am presently confused about the difference between policies and procedures within the context of the Toolkit– although I obviously have a clue from life in general.  Eg. Procedures are made up in light of a policy and followed in order to comply with the policy.

Similarly, there’s a “Tier 3 Work Instruction” for employees about how to use Voicemail – not to give security information out on recorded messages unwittingly and the like.    A third of the text of this work instruction seems to appear on every policy, procedure or work instruction document.  Why does one need a “Work Instruction” that lays down rules as well as a procedure – why not incorporate everything in the latter?

Other declarations of the obvious in the sample procedures  include, “The IT Manager is responsible for specifying, ordering providing the firewalls, malware, automatic updating and connectivity and back-up facilities….”

The Principles of Plan Do Check Act make another appearance.  On seeing it, I turn the page quickly.

The most interesting item among the remaining files is an Information Security Manual – 38 sides of it.  However, again it seems to come our with circular sentences  that state the obvious.

In sum, this toolkit may be useful to some people.  Sure I’ve only seen 10 per cent of it.  It has not, however, given me examples of the application of ISO 27001 and what you need practically to do to comply with it or to make your organisation secure.  I think that if you’d done an ISO 27001 implementation previously, the Toolkit would save you time.  I am starting from scratch and it hasn’t helped me much.

Based on entries in my diary from May 2008.

I continue perusing the ISO 27001 Sample Toolkit. 

I look at a  sample policy. There are 3 or 4 bullet points covering the specifics of the policy itself. Two thirds of the document is made up of the same or very similar standard blurb which appears atop and afoot all the other sample policies.    Other information includes who the author is and where the document can be found. 

Explanations provided with in the sample document templates include ones such as “the Organisation protects it networked services in line with it Access Control Policy from unauthorised Access”.  This is exactly the same type of sentence as I took Ray Tricker to task for.  Is anyone really any the wiser after a sentence like this?  Why do you need to state that the purpose of an Access Control policy is to prevent unauthorised access?   Isn’t that just common sense?

Even more scarily these templates have big gaps in them where one is meant to insert text to suit one’s organisation. It strikes me that filling in the blanks is not going to be straightforward.  I was hoping more for a “delete the text that doesn’t apply to your organisation” approach.  There is no example text provided that one could lift and adapt to fill these gaps. 

Hints about what might rightly fill the gaps are not straighforward.   In one of them, the Toolkit it advises me to enter “details of appropriate authentication mechanisms…”.   I think this could simply be a requirement for a password.  The answer, despite all the documented complexity, is probably that straightforward, but the whole thing is so bamboozling I don’t know!

There is a Policies and Procedures Diagram.  I am really expecting overload here.  As I double click it I am cringing in anticipation of seeing much compexity before me and how mind boggling it is going to be.  My cringe turns to broad smile as my PC tells me that it doesn’t have the software to open the document up!  I happily move on.

Based on entries in my diary from May 2008.

ITG offers a series of toolkits which can be downloaded for something between £400 and £1,000 depending on the contents.

I am sceptical about paying this sort of money for a download from the internet which isn’t actually software – it will be a series of templates. Anyways, there’s a free trial which I download. The confirmation email tells me it contains 10% of the contents of the full toolkit.

The first document I open up is the Toolkit Contents and Change History which is six sides long. All this does is list all the changes made to all the documents within the Toolkit and gives them lots of reference numbers. This is a massive turnoff. I gulp –I can’t even find an index at the moment.

The Toolkit talks on about Tier1, Tier 2 and Tier 3 documents but there isn’t an abvious explanation what this means. It also talks about a ‘Statement of Applicability’ - I am similarly confused.

There’s an Introduction to the Toolkit document which I can understand because it’s the one which encourages you to buy the proper versions and spend £500 plus quid.!! I understand most of the contents. The contents list is thus

 Next there are some user instructions – in fact there are 48 of them over 5 pages. These are legible and understandable. There’s good, frank advice embedded in here like “ Creating your ISMS documentation is a big task”.

The User Instructions document is one you can work to but you’d have to sit down and study it. But, man, are we gearing up for a massive project here? This is the first document which divides the task out into stages and is the closest to a bullet point methodology I’ve seen. It refers to many other documents, Risk Assessments and other phenomena, many of which I don’t know what they are. It does at least tell me the order in which I have to begin trying to understand them.

Based on notes from my diary and other records from May 2008.

I feel that I am now in strong position with regards to ISO 9001 and ISO 14001. My attention turns to finding information on the practical implementation of 27001 in an SME.

After the struggle of finding information on with ISO 9001 and ISO 14001, my patience is wearing a bit thin with the nature of information that is available on thes standards.

Most of the material features in depth discussion on corporate governance or charts which to my mind make a simple idea much more complex than it needs to be. It seems that when a point could be made in one or two sentences ISO authors write two sides of prose instead.  They throw in a chart, and, if they’re really overloading, a table or figure as well. What’s more the figures have numbers eg. “3.1a”, and the figure or chart is always over the page to the text that refers to it and explains it – so one has to keep page-flipping between the two.

Judging by my searching on ISO 27001, all or most Google information security roads appear to lead to www.itgovernance.co.uk (ITG). Unlike for ISO 9001, Google searches for ISO 27001 do not go many page searches deep in terms of relevant results.

These Google road signs lead to ‘ITG’ either because its good, because it’s the only one there, or both.

My first download about 27001 is IT Governance’s Introduction to Information Security and 27001 – 6 sides. This is pretty useful. It sets the scene quite well for a director or manager whose thinking about going for it and sets the background to the standard well. I pick up on some particular sentences “the most time-consuming….part of the entire project is the development of documentation that sets out how the ISMS works.” I would have guessed this but it just underlines what the challenge is going to be judging by my ISO 9001 experience to date.
At the end of ITG intro document is a list of additional resources which turn out all to be available from their own website! Ok, so the this intro document have set the scene and now the next task is to have a look around the site.

I take stock of the situation regards the ISO Consultants I have contact.

Terry Russell of www.iso9001.co.uk replied to my requirements letter today but it wasn’t encouraging. He said he could supply everything I wanted – and he is UKAS accredited -but didn’t seem that keen to oblige. 

He said

(a) your Invitation to Tender asks for copies of work that we have produced for others. I simply will not provide the procedures of any of our clients to another organisation, under any circumstances
(b) we normally only provide services to applicants who are referred to us by existing clients. You’ll understand that the risks go both ways. If we provide services to you, I need assurance that you are financially sound and are the sort of client that would want.

I know this sounds very fussy, but we are fussy about our clients. With your timescales, it would not provide me with sufficient time to conduct our checks on your organisation.

Sorry about that.

I phoned Paul from RPPT Associates but he said the he was too far away and too busy to get involved. He said he could provide from coaching from a distance but he suggested I look for someone more local.

On top of this, some considerable time after sending me written requirements to FXXP there is still no reply from them– despite the fact that Liz said she’d look into it.

So it seems that no-one is interested! 

Is it because:

• My requirements are out of scope for these consultants?
• My requirements are too exacting and demanding for them?
• There isn’t really anyone out there who has done what I am trying to do in the way I am trying to do it?

I like to think and hope it’s the latter – if only because it helps me reverse out of this cul-de-sac to spur myself on.

Based on notes from my diary and other records from April 2008.

This afternoon I turned my attention to books I can buy so I have been browsing through anything that Amazon has to offer on any of the three standards.  I am focussing particularly on ones written with smaller to mid sized businesses (as opposed to corporates) in mind.

There is a lot on ISO 9001, less on ISO 14001 and comparatively little on ISO 27001.  Restricting my searches to books specifically for SMEs but  doesn’t yield  much.   Google Books is handy for peeking inside several of the titles I see on Amazon to see if they are relevant.  The majority of the books are academic in their approach or talk about management theory.  They talk about the models ones should use and the considerations one should take into account - but there’s so, so little on practical applications - particularly for an SME.

In the end I buy two books for a total price of about £80.

1. ISO9001:2000 for Small Business by Ray Tricker and
2. IT Governance: A Manager’s Guide to Data Security and ISO 27001/ ISO 27002 by Alan Calder

The big potential advantage with the latter is that is was very recently published so it should be up to date.

Based on diary entires from April 2008.

With regards to the overall development of the business things are now starting to take shape.  The company has a  website, promotional material and a brand identity. I am settled on an on site data destruction business model  and that there will be no US joint venture.  Finally, I have preferred ERP package.

I am always conscious of the need to get the phasing of a start- up right.  In other words if something is going to take a while to come to fruition then make sure you start it early.  One such example is becoming a supplier in the public sector.  One part of achieving  this is having the accreditations and the ISOs – another is learning your way around the public sector – how to “play the game”.   I need to consolidate my knowledge bout the public sector  now so I can build it into the business development plan.

I’ve still got Steven Regelado’s card from the Lambeth Meet the Buyer Event at the YMCA. So I email him and ask him the name of the lady who presented alongside him which I have forgotten.  After a short delay he replies that its Carol Hustler of Supply London.

I speak to Carol.  She tells me I need to register with Supply London. I can attend some free training courses aimed at helping become a public sector supplier.  One on Health and Safety, one on environmental considerations, one on writing a quality policy and another all day one on supplying the public sector in general. I might also get free help from a consultant.

After my previous dealings with Business Link, I am sceptical about the level and quality of advice one gets from these government agencies. But  am going to take full advantage and attend the courses. 

Based on entries in my diary from Marh 2008.